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Comments on the EDPB’s draft “Guidelines 10/2020 on restriction 
under Article 23 GDPR” 


We welcome the opportunity to present our comments to the recently published EDPB draft 
Guidelines 10/2020. 


General comments 
The problem of instructions addressed to national parliaments 


In general, we very much welcome that EDPB publishes its views on the interpretation of Article 
23 of the GDPR. We fully agree with most of the EDPB's conclusions presented in this 
proposal. It cannot be, however, overlooked that the EDPB, in addition to the EU legislators’, 
mainly addresses the parliaments of individual Member States (although, as the EDPB rightly 
points out, Article 23 allows derogations to be adopted by national law instruments other than 
parliamentary laws). 


National parliaments are the supreme representation bodies of citizens in the individual 
Member States. Although the supremacy of European law over national law is widely 
acknowledged and some powers of national parliaments have been transferred to the EU level 
(in the Czech Republic as incorporated in Article 10a of the Czech Constitution), this does not 
change the fact that parliaments in the Member States remain the highest legislative body 
adopting national law. Parliaments are empowered to adopt legislative acts in their 
independent discretion (of course in compliance with the obligations of the Member State 
under international law and treaties as well as the requirements of European law). From this 
point of view, it is highly arguable whether any EU (administrative) institution could issue 
"guidelines" binding upon the national parliaments, all the more so where a binding nature 
and/or legal effects of guidelines remain unclear and have not been yet properly established. 
Guidelines are still to be read only as soft-law. From this point of view, the chosen form of the 
EDPB document, i.e. guidelines within the meaning of Article 70 (1) (e) of the GDPR, appears 
to be a rather unsuitable legal instrument, as it can be considered as an inappropriate form of 
interference by EU institutions in national sovereignty. 


We believe that Article 70 of the GDPR cannot be interpreted or applied in a way that would 
entitle the EDPB to influence the activities of national parliaments under soft law. If the 
European legislator intended to confer such a power on the EDPB, even if the Treaties allowed 
so, it would certainly be expressly stated in Article 70 (in the light of the doubts set out above). 


1 We leave aside the impact of the restriction according to Article 23 on legislative activity at EU level, where 
the GDPR as a regulation can of course be amended by another regulation (as the EDPB also focuses in its draft 
guidelines on exemptions provided for by national law). 
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The purely consultative role of the national supervisory authorities in the national legislative 
procedure is regulated in Article 36 (4) of the GDPR. 


From this point of view, it would therefore seem more appropriate to issue the discussed 
document as a recommendation which, although enshrined in legislation only generally, clearly 
does not constitute a binding document in any way. 


The conflict of fundamental rights 


Furthermore, we would like to provide general comments to the argumentation relying on 
Article 52 of the EU Charter of Fundamental Rights, as stated, for example, in point 2 of the 
Guidelines. We believe that Article 52 (1) of the Charter cannot be applied in the sense 
indicated by the EDPB where there is a conflict between several equally important fundamental 
rights. In such circumstances, equally strong and important interests need to be balanced. This 
may apply to the discussed Article 23 of the GDPR, e.g. under paragraph 1 (i) or (j). This may 
be particularly restrictive, for example, to the requirement to comply with the notion of "strictly 
necessary" mentioned in point 42 of the proposal. 


General public interest requirement 


The guidelines seem to link the exemptions under Article 23 (1) solely with the notion of 
"general interest" or "general public interest" (see, for example, point 39 or 42). It should be 
noted that some of the exceptions under Article 23 (1) do not have to be aimed at protecting 
the “general interest” but rather the interest of the individual (see Article 23 (1) (i) (j) of the 
GDPR). 


Requirements for Member States' authorities compared to the practice of the EU 
institutions 


We generally agree with EDPB's interpretation of Article 23 (2) and the requirements set out 
therein. However, we must point out that it would be appropriate to align the requirements 
under Article 23 (2) of the GDPR with the practice of some EU institutions in limiting the rights 
of data subjects under Article 25 of EU Regulation 2018/1725 (as declared in the acts 
published in Official Journal). Decisions regarding these restrictions are in some cases 
formulated in a very general way and without further additional information value for data 
subjects. The references to the general public interest thus seem unsubstantiated. 


To individual points: 


Point 33. We do not consider the example given here to be appropriately chosen, as it rather 
aims at the matters regulated (except for whistleblowing) by EU Directive 2016/680. We 
believe that it would be more appropriate to use another example, which would better 
demonstrate the difference between matters regulated by the GDPR and matters regulated by 
EU Directive 2016/680 (as correctly stated, for example, in point 24 of the proposal by 
reference to rec. 19 of the GDPR). 


Point 67. We consider that the broad involvement of DPOs in the Article 23 compliance 
process is appropriate. On the other hand, in our opinion, the requirement that the DPOs be 
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always informed is not justifiable and reasonable. In practice, this can lead to DPOs being 
unnecessarily burdened with repeated reports of the same type of severity. The DPOs should 
have more room for discretion, for instance, to determine that certain types of restriction shall 
not be individually reported to DPO, provided, of course, that the DPO can always request 
access to documentation in all cases (i.e. to carry out random checks). This will prevent 
unnecessary administrative pressure on the DPOs and at the same time allow the DPOs to 
focus on serious cases to which they will be able to devote more time. 


We are grateful for the opportunity to provide our comments on the draft 
Recommendation. 


Prague, 11 February 2021 


JUDr. Viadan Ramis, Ph.D. Mgr. Alice Selby, LLM 
Chairman of the Committee Member of the Committee 
Spolek pro ochranu osobních údajů Spolek pro ochranu osobních údajů 
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